Checkmarx Blog


Checkmarx vs Veracode: AppSec Predictions

Dec 12, 2016 By Maty Siman | Following Joseph Feiman’s post on the Veracode blog, Application Security Predictions for 2017 and Beyond, we are glad to see that a significant number of his predictions aligned with the trends that we have both seen and continue to act on, however when it comes to certain predictions, our perspective is notably different.   Joseph’s predictions focus on adapting security testing solutions to the fast-paced development environments that are increasingly dominating the application development landscape. Therefore, security testing solutions should enable organizations to perform analysis at the earliest stage of the SDLC, specifically during development and ideally by developers.   Let’s review Veracode’s predictions while demonstrating how and why Checkmarx’s perspective differs:
Read More »
industrial cyber threats

Securing the Energy Sector against Industrial Cyber Threats

Dec 08, 2016 By Paul Curran | Late in 2015, just over a month before hackers plunged over 230,000 residents in the Western Ukraine into darkness for 6 hours, Forbes forecasted what they considered to be the biggest cybersecurity threat: The Energy Sector.   They were right, and remain correct as the exploits and vulnerabilities of 2016 become the major challenges of 2017.   Due to prevalence of unpatched legacy systems, the high cost of proper security along with the fact that many energy providers cannot afford the downtime to update their systems, the energy vertical is becoming an increasingly attractive target for hackers.
Read More »
Hacks and Breaches of November 2016

November 2016: Top Hacks and Breaches [INFOGRAPHIC]

Dec 07, 2016 By Arden Rubens | The winter is just getting started, and the damage is as big as ever with new vulnerabilities and malware leading to even more hacks and breaches. November’s biggest breach in numbers is the AdultFriendFinder hack, when a local file inclusion vulnerability led to the exposure of over 400m user details. Keeping up with the transportation-hacks trend, San Francisco’s transit system was hacked over the busy Thanksgiving weekend, as the hackers left the system unable to collect fares until a ransom of $70k in bitcoins was paid. And in a continued malware attack, millions (and counting) of Google accounts have been affected by malicious software. 
Read More »
15 Vulnerable Sites To (Legally) Practice Your Hacking Skills - 2016 UPDATE15 Vulnerable Sites To (Legally) Practice Your Hacking Skills

15 Vulnerable Sites To (Legally) Practice Your Hacking Skills – 2016 UPDATE

Dec 04, 2016 By Arden Rubens | As technology grows, so does the risk of getting hacked. So, it should come as no surprise that InfoSec skills are becoming more important and more in demand.
No matter if you’re a beginner or an expert, nor if you’re a security manager, developer, auditor, or pentester – you can now get started by using these 15 sites to practice your hacking skills – legally. 
          Do you have any other sites you use to practice on? Let us know below!
Read More »
spear phishing attacks

Beware of Spear Phishing

Nov 28, 2016 By Paul Curran | For malicious parties hoping to capitalize on the frantic frenzy of online purchasing, both the prevalence of email marketing and popularity of mobile purchasing pose significant threats.   The promise of incredible deals via email marketing campaigns presents the perfect attack vector for malicious parties to prey on unsuspecting shoppers.
Read More »
hacks and breaches october 2016

The Biggest Hacks and Breaches of October 2016

Nov 23, 2016 By Arden Rubens | October proved to be a massive month for hacks and breaches. Hackers everywhere have been keeping busy, from a widespread cyberattack which took down major sites worldwide to the theft of over 3 million cash cards from several top Indian banks.
The US election, a proven hot topic in 2016, came with the Democratic National Committee (DNC) being hacked twice in a month, exposing thousands of emails. And over in Australia, the International Red Cross was hacked and files containing the personal details of blood donors were stolen. Check out the infographic below featuring some of October’s biggest breaches.
Read More »
Wordpress security check

WordPress Security Check – Plugins Could Leave Online Shoppers and Businesses Vulnerable On Cyber Monday

Nov 22, 2016 By Paul Curran | As American shoppers gear up for the biggest shopping weekend of the year – the perfect storm of Thanksgiving Day, Black Friday and Cyber Monday- more and more shoppers are preparing to do their purchasing online from the comfort of their homes.   In order to gain a better understanding of the potential threats posed by the hundreds of thousands of websites which utilize e-commerce plugins, the Checkmarx research lab used CxSAST, Checkmarx’s static code analysis solution, to run a scan WordPress security check of the most used WordPress e-commerce plugins in the weeks leading up to Cyber Monday.
Read More »
Local File Inclusion Vulnerability

How a Local File Inclusion Vulnerability led to the AdultFriendFinder Hack

Nov 21, 2016 By Paul Curran | For millions of users, and former users, of websites on the Friend Finder Network, the service built to bring them closer to their fantasies is turning into a nightmare. In what Wired is calling a “privacy catastrophe,” over 400 million accounts and deleted accounts, were breached on one of the world’s largest adult dating websites as the result of a Local File Inclusion vulnerability. AdultFriendFinder . com was acquired by Penthouse in 2007, which subsequently changed its name to Friend Finder Network. Under the Friend Finder Network exists numerous adult websites of which AdultFriendFinder . com is the largest. Combined, these websites contain over 412 million past and present users, all affected by the latest hack. Besides AdultFriendFinder . com, the Friend Finder Network includes numerous adult-oriented “hookup” websites which include
Read More »
keys to avoiding data security breaches

Keys to Avoiding Data Security Breaches

Nov 17, 2016 By Arden Rubens | Data security breaches and exploits continuously make headlines as online organizations and applications are under constant attack by cyber criminals. The number of data breaches are increasing drastically year to year putting millions of people at risk of identity theft and fraud. A consequential data breach has the power to wreck company assets while taking down whole organizations by releasing sensitive data and embarrassing emails, so it only makes sense for an organization to take all necessary steps to protect its data. Data breaches can occur from a variety of different scenarios ranging from large scale cyber attacks and hacking techniques to malicious activity within a system as the result of a portable device, system outage or error, and poor or non-existent security policies. That being said, the most common cause of data security breaches is weak or stolen passwords. In fact, according to Verizon’s “2015 Data Breach Investigations Report”, a whopping 76% of network intrusions occurred as a result of weak credentials. Hackers crack passwords with the help of specific tools and techniques or by using malware or phishing attacks. Once the right password is in the wrong hands, it is game over for the company and the user alike.  Here are some keys to help you avoid data breaches.
Read More »
web application security lessons

3 Web Application Security Lessons from Recent Vulnerabilities and Exploits

Nov 13, 2016 By Paul Curran | 2016 has been a hot year for hackers and this trend shows no sign of stopping. Major hacks and the breached data released as a result over the course of 2016 have led to millions in losses for the organizations who failed in establishing proper web application security. The now-infamous Yahoo hack cast some shades of doubt on how Verizon was going to proceed with its $4.8 billion acquisition while Iceland’s prime minister Sigmundur Davíð Gunnlaugsson resigned as part of the fallout from the Panama Papers.  
Read More »

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.